[Resolvido!] Analise de Log do HijHackThis

[Igor Barbosa 0]

Olá, estou com alguns trojans dentre eles o Sality, sou leigo no assunto mas sei que nao é boa coisa

Se puderem ajudar eu agradeço

Segue abaixo o log

 

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 08:41:31, on 3/3/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16850)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PSIService.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\PAStiSvc.exe

C:\Arquivos de programas\Java\jre6\bin\jusched.exe

C:\Windows\System\svchosl.exe

C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\Explorer.exe

C:\Arquivos de programas\Java\jre6\bin\jusched.exe

C:\Windows\System\svchosl.exe

C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\Explorer.exe

C:\Hijack\HiJackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.speedbit.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R3 - URLSearchHook: Alawar.com Toolbar - {511131f1-4629-4254-a85f-ed7b6d75dd3c} - C:\Arquivos de programas\Alawar.com\tbAla1.dll (file missing)

F2 - REG:system.ini: Shell=Explorer.exe

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: (no name) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - (no file)

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: Alawar.com Toolbar - {511131f1-4629-4254-a85f-ed7b6d75dd3c} - C:\Arquivos de programas\Alawar.com\tbAla1.dll (file missing)

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre6\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: DAPIELoader Class - {FF6C3CF0-4B15-11D1-ABED-709549C10000} - C:\ARQUIV~1\DAP\DAPIEL~1.DLL

O3 - Toolbar: Alawar.com Toolbar - {511131f1-4629-4254-a85f-ed7b6d75dd3c} - C:\Arquivos de programas\Alawar.com\tbAla1.dll (file missing)

O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [msnmsrg] C:\Windows\System\svchosl.exe

O4 - HKLM\..\Run: [soundMAXPnP] C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Arquivos de programas\Analog Devices\SoundMAX\smax4.exe" /tray

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Arquivos de programas\Corel\Corel MediaOne\Corel Photo Downloader.exe" -startup

O4 - HKLM\..\RunOnce: [spybotDeletingA7147] command.com /c del "C:\WINDOWS\ntdtcstp.dll_old"

O4 - HKLM\..\RunOnce: [spybotDeletingC1038] cmd.exe /c del "C:\WINDOWS\ntdtcstp.dll_old"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [EPSON Stylus TX200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEFL.EXE /FU "C:\WINDOWS\TEMP\E_S7C.tmp" /EF "HKCU"

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [DownloadAccelerator] "C:\Arquivos de programas\DAP\DAP.EXE" /STARTUP

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [mstwain32] C:\WINDOWS\mstwain32.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-21-57989841-1757981266-725345543-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Dani')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Service Manager.lnk = C:\Arquivos de programas\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O8 - Extra context menu item: &Clean Traces - C:\Arquivos de programas\DAP\Privacy Package\dapcleanerie.htm

O8 - Extra context menu item: &Download with &DAP - C:\Arquivos de programas\DAP\dapextie.htm

O8 - Extra context menu item: Download &all with DAP - C:\Arquivos de programas\DAP\dapextie2.htm

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Incluir no Blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Incluir no Blog no Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{668F7278-5AE7-4C18-A5A5-0C17F9E8E7E0}: NameServer = 208.67.222.222,208.67.220.220

O17 - HKLM\System\CS1\Services\Tcpip\..\{668F7278-5AE7-4C18-A5A5-0C17F9E8E7E0}: NameServer = 208.67.222.222,208.67.220.220

O17 - HKLM\System\CS2\Services\Tcpip\..\{668F7278-5AE7-4C18-A5A5-0C17F9E8E7E0}: NameServer = 208.67.222.222,208.67.220.220

O20 - AppInit_DLLs: , C:\WINDOWS\system32\mswocx.dll

O23 - Service: Apache - Unknown owner - C:\AppServ\Apache\Apache.exe

O23 - Service: Buddy Central Service 2 (BuddyCentralService) - Unknown owner - C:\GBWC Server\BuddyCenter\BuddyCenter2.exe (file missing)

O23 - Service: Buddy Service 2 (BuddyService) - Unknown owner - C:\GBWC Server\BuddyServ\BuddyServ2.exe (file missing)

O23 - Service: GunBoundXPBroker[8372] - Unknown owner - C:\GBWC Server\GunBoundBroker\GunBoundBroker3.exe (file missing)

O23 - Service: GunBoundXPServ[8360] - Unknown owner - C:\GBWC Server\GunBoundServ1\GunBoundServ3.exe (file missing)

O23 - Service: GunBoundXPServ[8361] - Unknown owner - C:\GBWC Server\GunBoundServ2\GunBoundServ3.exe (file missing)

O23 - Service: GunBoundXPServ[8362] - Unknown owner - C:\GBWC Server\GunBoundServ3\GunBoundServ3.exe (file missing)

O23 - Service: GunBoundXPServ[8363] - Unknown owner - C:\Gunbound\Server8363\GunBoundServ3.exe (file missing)

O23 - Service: Google Update Service (gupdate1c99a88363f6988) (gupdate1c99a88363f6988) - Google Inc. - C:\Arquivos de programas\Google\Update\GoogleUpdate.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: MySQL - Unknown owner - C:\AppServ\mysql\bin\mysqld-nt.exe

O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe

 

--

End of file - 10426 bytes

[wings 22]

Bom dia....

 

 

1.

Abra o Spybot

No menu superior, clique em [Modo] > [Avançado] e confirme.

Clique em [Ferramentas] > [Residente]

Desmarque a opção Ativar "TeaTimer" do Residente (proteção geral das configurações de sistema).

Feche o programa.

 

2.

*Baixe o SDFix e salve-o no desktop

*Desative temporariamente seu antivírus

*Duplo clique em SDFix.exe e a ferramenta será instalada em C:\SDFix

*Reinicie o PC em Modo de Segurança (aperte F8 de forma intermitente durante a inicialização do PC e selecione "Modo Seguro")

*Na pasta C:\SDFix localize e execute o arquivo RunThis.bat

*Tecle [Y]

*Ao término, pressione qualquer tecla

*O PC será reiniciado automaticamente

*Ao reiniciar, a ferramenta novamente será executada

*Caso não ocorra a execução automática, execute novamente o arquivo RunThis.bat e tecle [F]

*Ao surgir "The FixTool has finished", pressione qualquer tecla

*Cole o relatório criado em C:\SDFix\Report.txt

[Igor Barbosa 0]

SDFix: Version 1.240

Run by winxp on qua 03/03/2010 at 11:45

 

Microsoft Windows XP [versÆo 5.1.2600]

Running From: C:\SDFix

 

Checking Services :

 

 

Restoring Default Security Values

Restoring Default Hosts File

 

Rebooting

 

 

Checking Files :

 

Trojan Files Found:

 

C:\WINDOWS\cmsetac.dll - Deleted

C:\WINDOWS\cmsetac.dll - Deleted

C:\WINDOWS\ktd32.atm - Deleted

C:\WINDOWS\mstwain32.exe - Deleted

C:\WINDOWS\ntdtcstp.dll - Deleted

C:\WINDOWS\system32\fservice.exe - Deleted

 

 

 

 

 

Removing Temp Files

 

ADS Check :

 

 

 

Final Check :

 

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-03 12:38:55

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden services & system hive ...

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]

"s1"=dword:2df9c43f

"s2"=dword:110480d0

"h0"=dword:00000002

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]

"p0"="C:\Arquivos de programas\DAEMON Tools Lite\"

"h0"=dword:00000001

"hdf12"=hex:99,c4,3f,2d,f2,b8,15,ec,20,b1,98,f0,88,22,11,04,9c,b6,94,1e,fb,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001]

"a0"=hex:20,01,00,00,3a,5a,2a,c2,a5,0d,64,57,86,c7,fd,ff,8a,f2,12,b6,7c,..

"hdf12"=hex:5f,ac,3a,0e,fc,14,7c,26,89,6d,13,d7,e7,35,7b,9d,ea,60,02,29,a1,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0]

"hdf12"=hex:60,be,76,af,ef,f0,ce,70,5a,b6,3b,9a,3b,d5,31,b6,7d,e3,8e,20,a5,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1]

"hdf12"=hex:0c,6f,e8,5c,e9,35,7f,96,52,1d,07,98,22,ad,b7,0c,07,15,97,d4,c6,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2]

"hdf12"=hex:0c,6f,e8,5c,e9,35,7f,96,52,1d,07,98,22,ad,b7,0c,07,15,97,d4,c6,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq3]

"hdf12"=hex:0c,6f,e8,5c,e9,35,7f,96,52,1d,07,98,22,ad,b7,0c,07,15,97,d4,c6,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"h0"=dword:00000000

"khjeh"=hex:88,64,5d,85,69,95,a6,97,d8,a2,d7,3a,25,e7,9f,42,99,34,9b,7c,9d,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]

"p0"="C:\Arquivos de programas\DAEMON Tools Lite\"

"h0"=dword:00000001

"hdf12"=hex:99,c4,3f,2d,f2,b8,15,ec,20,b1,98,f0,88,22,11,04,9c,b6,94,1e,fb,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001]

"a0"=hex:20,01,00,00,3a,5a,2a,c2,a5,0d,64,57,86,c7,fd,ff,8a,f2,12,b6,7c,..

"hdf12"=hex:5f,ac,3a,0e,fc,14,7c,26,89,6d,13,d7,e7,35,7b,9d,ea,60,02,29,a1,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0]

"hdf12"=hex:60,be,76,af,ef,f0,ce,70,5a,b6,3b,9a,3b,d5,31,b6,7d,e3,8e,20,a5,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1]

"hdf12"=hex:0c,6f,e8,5c,e9,35,7f,96,52,1d,07,98,22,ad,b7,0c,07,15,97,d4,c6,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2]

"hdf12"=hex:0c,6f,e8,5c,e9,35,7f,96,52,1d,07,98,22,ad,b7,0c,07,15,97,d4,c6,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq3]

"hdf12"=hex:0c,6f,e8,5c,e9,35,7f,96,52,1d,07,98,22,ad,b7,0c,07,15,97,d4,c6,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"h0"=dword:00000000

"khjeh"=hex:88,64,5d,85,69,95,a6,97,d8,a2,d7,3a,25,e7,9f,42,99,34,9b,7c,9d,..

 

scanning hidden registry entries ...

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]

"TracesProcessed"=dword:00000035

 

scanning hidden files ...

 

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

 

 

Remaining Services :

 

 

 

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Arquivos de programas\\uTorrent\\uTorrent.exe"="C:\\Arquivos de programas\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"

"C:\\Arquivos de programas\\Aspyr\\Guitar Hero III\\GH3.exe"="C:\\Arquivos de programas\\Aspyr\\Guitar Hero III\\GH3.exe:*:Enabled:Guitar Hero III"

"C:\\Servfull 2.7\\Servfull-Gui.exe"="C:\\Servfull 2.7\\Servfull-Gui.exe:*:Enabled:The Forgotten Server"

"C:\\Level Up! Games\\Perfect World\\launcher\\Launcher.exe"="C:\\Level Up! Games\\Perfect World\\launcher\\Launcher.exe:*:Enabled:Perfect World"

"C:\\MuServer\\DataServer1\\DataServer.exe"="C:\\MuServer\\DataServer1\\DataServer.exe:*:Disabled:Dataserver ?? ????"

"C:\\MuServer\\DataServer2\\DataServer.exe"="C:\\MuServer\\DataServer2\\DataServer.exe:*:Disabled:Dataserver ?? ????"

"C:\\MuServer\\JoinServer\\JoinServer.exe"="C:\\MuServer\\JoinServer\\JoinServer.exe:*:Enabled:JoinServer"

"C:\\MuServer\\ExDB\\ExDB.exe"="C:\\MuServer\\ExDB\\ExDB.exe:*:Enabled:Exdb MFC ?? ????"

"C:\\MuServer\\ChatServer\\ChatServer.exe"="C:\\MuServer\\ChatServer\\ChatServer.exe:*:Enabled:ChatServer MFC ?? ????"

"C:\\MuServer\\EventServer\\EventServer.exe"="C:\\MuServer\\EventServer\\EventServer.exe:*:Enabled:EventServer"

"C:\\MuServer\\RankingServer\\RankingServer.exe"="C:\\MuServer\\RankingServer\\RankingServer.exe:*:Enabled:RankingServer"

"C:\\MuServer\\GAMESERVER\\GameServer.exe"="C:\\MuServer\\GAMESERVER\\GameServer.exe:*:Enabled:GameServer"

"C:\\MuServer\\GAMESERVER_CS\\GameServer_CS.exe"="C:\\MuServer\\GAMESERVER_CS\\GameServer_CS.exe:*:Enabled:GameServer"

"C:\\Arquivos de programas\\AnalogX\\PortBlocker\\pblock.exe"="C:\\Arquivos de programas\\AnalogX\\PortBlocker\\pblock.exe:*:Enabled:pblock"

"C:\\Documents and Settings\\winxp\\Desktop\\Portsafe_Anti-Nuker_.exe"="C:\\Documents and Settings\\winxp\\Desktop\\Portsafe_Anti-Nuker_.exe:*:Enabled:Portsafe_Anti-Nuker_"

"C:\\MuServer\\bin\\chat.exe"="C:\\MuServer\\bin\\chat.exe:*:Enabled:ChatServer MFC ?? ????"

"C:\\MuServer\\bin\\exdb.exe"="C:\\MuServer\\bin\\exdb.exe:*:Enabled:Exdb MFC ?? ????"

"C:\\MuServer\\bin\\event.exe"="C:\\MuServer\\bin\\event.exe:*:Enabled:event"

"C:\\MuServer\\bin\\ranking.exe"="C:\\MuServer\\bin\\ranking.exe:*:Enabled:ranking"

"C:\\MuServer\\bin\\joinserver.exe"="C:\\MuServer\\bin\\joinserver.exe:*:Enabled:JoinServer"

"C:\\Arquivos de programas\\Tibia\\Tibia.exe"="C:\\Arquivos de programas\\Tibia\\Tibia.exe:*:Enabled:Tibia Player"

"C:\\Arquivos de programas\\EA GAMES\\Battlefield 1942\\BF1942.exe"="C:\\Arquivos de programas\\EA GAMES\\Battlefield 1942\\BF1942.exe:*:Enabled:BF1942"

"C:\\Arquivos de programas\\Ventrilo\\Ventrilo.exe"="C:\\Arquivos de programas\\Ventrilo\\Ventrilo.exe:*:Enabled:Ventrilo.exe"

"D:\\MuServer\\JoinServerComAutoDC\\JoinServer.exe"="D:\\MuServer\\JoinServerComAutoDC\\JoinServer.exe:*:Enabled:JoinServer"

"D:\\MuServer\\DataServer1\\Dataserver.exe"="D:\\MuServer\\DataServer1\\Dataserver.exe:*:Disabled:Dataserver ?? ????"

"D:\\MuServer\\DataServer2\\Dataserver.exe"="D:\\MuServer\\DataServer2\\Dataserver.exe:*:Disabled:Dataserver ?? ????"

"D:\\MuServer\\bin\\exdb.exe"="D:\\MuServer\\bin\\exdb.exe:*:Enabled:Exdb MFC ?? ????"

"D:\\MuServer\\bin\\chat.exe"="D:\\MuServer\\bin\\chat.exe:*:Enabled:ChatServer MFC ?? ????"

"D:\\MuServer\\bin\\event.exe"="D:\\MuServer\\bin\\event.exe:*:Enabled:event"

"D:\\MuServer\\bin\\ranking.exe"="D:\\MuServer\\bin\\ranking.exe:*:Enabled:ranking"

"D:\\MuServer\\GameServer\\GameServer.exe"="D:\\MuServer\\GameServer\\GameServer.exe:*:Enabled:GameServer"

"D:\\MuServer\\GameServer_CS\\GameServer_CS.exe"="D:\\MuServer\\GameServer_CS\\GameServer_CS.exe:*:Enabled:GameServer"

"C:\\Arquivos de programas\\PortBlocker\\pblock.exe"="C:\\Arquivos de programas\\PortBlocker\\pblock.exe:*:Enabled:pblock"

"C:\\Arquivos de programas\\PortBlock\\pblock.exe"="C:\\Arquivos de programas\\PortBlock\\pblock.exe:*:Enabled:pblock"

"C:\\Arquivos de programas\\PBlock\\pblock.exe"="C:\\Arquivos de programas\\PBlock\\pblock.exe:*:Enabled:pblock"

"D:\\MuServer\\MuServer\\JoinServerComAutoDC\\JoinServer.exe"="D:\\MuServer\\MuServer\\JoinServerComAutoDC\\JoinServer.exe:*:Enabled:JoinServer"

"D:\\MuServer\\MuServer\\DataServer1\\Dataserver.exe"="D:\\MuServer\\MuServer\\DataServer1\\Dataserver.exe:*:Enabled:Dataserver ?? ????"

"D:\\MuServer\\MuServer\\DataServer2\\Dataserver.exe"="D:\\MuServer\\MuServer\\DataServer2\\Dataserver.exe:*:Enabled:Dataserver ?? ????"

"D:\\MuServer\\MuServer\\bin\\chat.exe"="D:\\MuServer\\MuServer\\bin\\chat.exe:*:Enabled:ChatServer MFC ?? ????"

"D:\\MuServer\\MuServer\\bin\\exdb.exe"="D:\\MuServer\\MuServer\\bin\\exdb.exe:*:Enabled:Exdb MFC ?? ????"

"D:\\MuServer\\MuServer\\bin\\event.exe"="D:\\MuServer\\MuServer\\bin\\event.exe:*:Enabled:event"

"D:\\MuServer\\MuServer\\bin\\ranking.exe"="D:\\MuServer\\MuServer\\bin\\ranking.exe:*:Enabled:ranking"

"D:\\MuServer\\MuServer\\GameServer\\GameServer.exe"="D:\\MuServer\\MuServer\\GameServer\\GameServer.exe:*:Enabled:GameServer"

"D:\\MuServer\\MuServer\\GameServer_CS\\GameServer_CS.exe"="D:\\MuServer\\MuServer\\GameServer_CS\\GameServer_CS.exe:*:Enabled:GameServer"

"C:\\Arquivos de programas\\TeamViewer\\Version5\\TeamViewer.exe"="C:\\Arquivos de programas\\TeamViewer\\Version5\\TeamViewer.exe:*:Enabled:Teamviewer Remote Control Application"

"D:\\MuServer\\bin\\joinserver.exe"="D:\\MuServer\\bin\\joinserver.exe:*:Enabled:JoinServer"

"D:\\MuServer\\ConnectServer\\ConnectServer.exe"="D:\\MuServer\\ConnectServer\\ConnectServer.exe:*:Disabled:ConnectServer"

"C:\\Arquivos de programas\\Windows Live\\Sync\\WindowsLiveSync.exe"="C:\\Arquivos de programas\\Windows Live\\Sync\\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"

"C:\\Documents and Settings\\winxp\\Desktop\\muproxy\\MuProxy.exe"="C:\\Documents and Settings\\winxp\\Desktop\\muproxy\\MuProxy.exe:*:Enabled:MuOnline Proxy"

"C:\\Documents and Settings\\Dani\\Desktop\\muproxy\\MuProxy.exe"="C:\\Documents and Settings\\Dani\\Desktop\\muproxy\\MuProxy.exe:*:Enabled:MuOnline Proxy"

"C:\\Documents and Settings\\winxp\\Desktop\\Nova pasta\\MuProxy.exe"="C:\\Documents and Settings\\winxp\\Desktop\\Nova pasta\\MuProxy.exe:*:Enabled:MuOnline Proxy"

"C:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"="C:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Call"

"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Arquivos de programas\\Windows Live\\Sync\\WindowsLiveSync.exe"="C:\\Arquivos de programas\\Windows Live\\Sync\\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"

"C:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"="C:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe:*:Enabled:Windows Live Call"

"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"

 

Remaining Files :

 

 

File Backups: - C:\SDFix\backups\backups.zip

 

Files with Hidden Attributes :

 

Tue 28 Jul 2009 1,548,120 A.SHR --- "C:\Arquivos de programas\Spybot - Search & Destroy\advcheck.dll"

Mon 26 Jan 2009 1,740,632 A.SHR --- "C:\Arquivos de programas\Spybot - Search & Destroy\SDUpdate.exe"

Mon 26 Jan 2009 5,365,592 A.SHR --- "C:\Arquivos de programas\Spybot - Search & Destroy\SpybotSD.exe"

Thu 5 Mar 2009 2,280,960 A.SHR --- "C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe"

Mon 26 May 2008 180,224 A..H. --- "C:\Dani\Mono II\~WRL0003.tmp"

Fri 25 Jul 2008 582,656 A..H. --- "C:\WINDOWS\system\svchosl.exe"

Wed 26 Aug 2009 8 ..SHR --- "C:\WINDOWS\system32\69482C521C.sys"

Wed 26 Aug 2009 2,516 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"

Fri 25 Jul 2008 582,656 A..H. --- "C:\Documents and Settings\Default User\Recent\svchosl.exe"

Thu 12 Mar 2009 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

 

Finished!

[wings 22]

1.

*Delete o SDFix e a pasta C:\SDFix

 

2.

*Baixe o MalwareBytes Anti-malware e salve-o no desktop:

*Instale o programa

*Se alguma atualização existir,o download será automático. Aguarde...

*O programa será aberto automaticamente.

*Na aba [Verificação], selecione a opção [Verificação completa]

*Clique em [Verificar] e selecione as unidades (C:\ e D:\) a serem examinadas

*Ao término do scan, poderá ser interrogado se deseja remover objetos da memória. Clique [sIM] > [OK] > [Mostrar Resultados]

*Selecione todos os resultados e clique em [Remover Selecionados]

*Um relatório (mbam-log-ano-mês-data.txt) será apresentado.

*Cole-o na sua próxima resposta

[Igor Barbosa 0]

Malwarebytes' Anti-Malware 1.44

Versão do banco de dados: 3822

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.11

 

3/3/2010 17:55:28

mbam-log-2010-03-03 (17-55-28).txt

 

Tipo de Verificação: Completa (C:\|D:\|)

Objetos verificados: 257025

Tempo decorrido: 50 minute(s), 37 second(s)

 

Processos da Memória infectados: 0

Módulos de Memória Infectados: 0

Chaves do Registro infectadas: 1

Valores do Registro infectados: 0

Ítens do Registro infectados: 1

Pastas infectadas: 0

Arquivos infectados: 2

 

Processos da Memória infectados:

(Nenhum ítem malicioso foi detectado)

 

Módulos de Memória Infectados:

(Nenhum ítem malicioso foi detectado)

 

Chaves do Registro infectadas:

HKEY_CURRENT_USER\full (Trojan.Banker) -> Quarantined and deleted successfully.

 

Valores do Registro infectados:

(Nenhum ítem malicioso foi detectado)

 

Ítens do Registro infectados:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

 

Pastas infectadas:

(Nenhum ítem malicioso foi detectado)

 

Arquivos infectados:

D:\MuServer\CashShopServer\CashShopServer.exe (Malware.Packer) -> Quarantined and deleted successfully.

D:\MuServer\MuServer\CashShopServer\CashShopServer.exe (Malware.Packer) -> Quarantined and deleted successfully.

[wings 22]

Mantenha desativado o Spybot conforme orientei no início do seu tópico!!

 

*Desative temporariamente seu antivírus

 

*Baixe o ComboFix e salve-o no desktop

*Duplo-clique no arquivo Combofix.exe

*Aceite o contrato

 

*Se o console de recuperação do Windows já estiver instalado, o ComboFix continuará o processo automaticamente. Caso não esteja, uma janela conforme abaixo será aberta. Clique em [sIM] para aceitar a instalação do mesmo.

 

 

*Após a instalação, clique em [Yes] para continuar. Seja paciente e aguarde até que todas as etapas sejam concluídas.

 

 

 

*Importante: enquanto o ComboFix estiver em execução, não use o mouse nem o teclado!!..... Para interromper o procedimento tecle N ou 2 e depois ENTER.

 

*O programa será fechado automaticamente e um relatório (C:\combofix.txt) será apresentado.

 

*Cole-o na sua próxima resposta

[Igor Barbosa 0]

ComboFix 10-03-03.03 - winxp 04/03/2010 0:02.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.55.1046.18.2046.1591 [GMT -3:00]

Executando de: c:\documents and settings\winxp\Desktop\ComboFix.exe

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\KB8888239.log

c:\windows\system\svchosl.exe

c:\windows\system32\olemdb32.dll

c:\windows\system32\update.txt

c:\windows\wpe pro.INI

D:\install.exe

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_OREANS32

-------\Service_oreans32

 

 

(((((((((((((((( Arquivos/Ficheiros criados de 2010-02-04 to 2010-03-04 ))))))))))))))))))))))))))))

.

 

2010-03-03 19:57 . 2010-03-03 19:57 -------- d-----w- c:\documents and settings\winxp\Dados de aplicativos\Malwarebytes

2010-03-03 19:57 . 2010-01-07 19:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-03 19:57 . 2010-03-03 19:57 -------- d-----w- c:\arquivos de programas\Malwarebytes' Anti-Malware

2010-03-03 19:57 . 2010-03-03 19:57 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Malwarebytes

2010-03-03 19:57 . 2010-01-07 19:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-03 14:43 . 2010-03-03 14:43 -------- d-----w- c:\windows\ERUNT

2010-03-03 11:38 . 2010-03-03 11:41 -------- d-----w- C:\Hijack

2010-03-03 11:15 . 2010-03-03 11:23 -------- d-----w- c:\documents and settings\winxp\Dados de aplicativos\QuickScan

2010-03-03 11:15 . 2010-02-27 02:40 634616 ----a-w- c:\documents and settings\winxp\Dados de aplicativos\Mozilla\Firefox\Profiles\9yt57all.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll

2010-03-03 11:15 . 2010-02-27 02:40 799440 ----a-w- c:\documents and settings\winxp\Dados de aplicativos\Mozilla\Firefox\Profiles\9yt57all.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll

2010-03-02 23:11 . 2010-03-02 23:11 -------- d-----w- c:\windows\Pixart

2010-03-02 23:11 . 2010-03-02 23:11 -------- d-----w- c:\arquivos de programas\PC VGA Camer@

2010-03-02 23:11 . 2010-03-02 23:11 -------- d-----w- c:\arquivos de programas\Arquivos comuns\PCCamera

2010-03-02 23:11 . 2010-03-02 23:11 -------- d-----w- c:\windows\Downloaded Installations

2010-03-02 23:10 . 2007-05-08 13:20 -------- d-----w- C:\7311 7312 (D)

2010-03-02 04:03 . 2010-03-02 04:03 -------- d-----w- c:\documents and settings\winxp\Dados de aplicativos\AVG8

2010-03-01 08:01 . 2010-03-01 08:01 -------- d-----w- c:\windows\Nova pasta

2010-02-28 21:45 . 2010-02-28 22:45 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\FarmFrenzy3

2010-02-28 21:45 . 2010-03-01 23:27 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\AlawarWrapper

2010-02-28 21:44 . 2010-02-28 21:44 -------- d-----w- c:\arquivos de programas\Alawar

2010-02-23 20:26 . 2009-12-30 06:29 -------- d-----w- C:\Cliente 1.02C AsgardMu Online V3

2010-02-20 20:03 . 2010-01-20 15:35 52224 ----a-w- c:\documents and settings\winxp\Dados de aplicativos\Mozilla\Firefox\Profiles\9yt57all.default\extensions\{d6afa303-2c0d-428b-873e-0a4f9f87f728}\components\FFExternalAlert.dll

2010-02-20 20:03 . 2010-01-20 15:35 101376 ----a-w- c:\documents and settings\winxp\Dados de aplicativos\Mozilla\Firefox\Profiles\9yt57all.default\extensions\{d6afa303-2c0d-428b-873e-0a4f9f87f728}\components\RadioWMPCore.dll

2010-02-14 01:13 . 2010-03-03 21:08 -------- d-----w- C:\mubrb

2010-02-08 04:32 . 2010-02-25 16:11 -------- d-----w- c:\arquivos de programas\Webzen

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-04 03:16 . 2009-05-20 13:12 -------- d---a-w- c:\documents and settings\All Users\Dados de aplicativos\TEMP

2010-03-03 20:38 . 2009-12-31 19:43 79488 ----a-w- c:\documents and settings\Dani\Dados de aplicativos\Sun\Java\jre1.6.0_17\gtapi.dll

2010-03-03 02:44 . 2009-11-29 21:51 79488 ----a-w- c:\documents and settings\winxp\Dados de aplicativos\Sun\Java\jre1.6.0_17\gtapi.dll

2010-03-02 23:12 . 2009-02-27 14:32 -------- d--h--w- c:\arquivos de programas\InstallShield Installation Information

2010-03-02 14:51 . 2009-09-04 12:49 51200 ----a-w- c:\windows\system32\mswocx.dll

2010-03-02 04:11 . 2009-04-22 19:22 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Spybot - Search & Destroy

2010-02-25 16:38 . 2001-10-28 15:07 92408 ----a-w- c:\windows\system32\perfc016.dat

2010-02-25 16:38 . 2001-10-28 15:07 504892 ----a-w- c:\windows\system32\perfh016.dat

2010-02-17 14:33 . 2009-02-28 17:09 -------- d-----w- c:\arquivos de programas\Messenger Plus! Live

2010-02-12 01:14 . 2009-02-28 17:43 -------- d-----w- c:\documents and settings\winxp\Dados de aplicativos\uTorrent

2010-02-11 13:06 . 2009-06-03 02:30 -------- d-----w- c:\arquivos de programas\Microsoft

2010-02-04 09:52 . 2009-03-01 16:10 -------- d-----w- c:\arquivos de programas\Google

2010-01-28 13:33 . 2009-10-26 15:17 53616 ----a-w- c:\windows\system32\CMStarter_Eng.dll

2010-01-28 13:33 . 2009-10-26 15:17 53616 ----a-w- c:\windows\system32\CMStarter_Kor.dll

2010-01-28 13:33 . 2009-10-26 15:17 364912 ----a-w- c:\windows\system32\CMStarterCore.exe

2010-01-24 16:03 . 2010-01-24 14:57 -------- d-----w- c:\arquivos de programas\MuFight Season 4

2010-01-21 00:06 . 2010-01-21 00:06 33824 ----a-w- c:\windows\system32\drivers\oreans32.sys

2010-01-19 15:17 . 2009-02-28 17:09 -------- d-----w- c:\arquivos de programas\Windows Live

2010-01-19 10:17 . 2009-10-23 15:50 -------- d-----w- c:\arquivos de programas\Gamers First

2009-12-16 18:37 . 2009-09-02 14:28 95744 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\SpeedBit\DAP\SDCondition.dll

2009-08-26 17:53 . 2009-08-26 17:53 8 --sh--r- c:\windows\system32\69482C521C.sys

2009-08-26 17:53 . 2009-08-26 17:53 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DownloadAccelerator"="c:\arquivos de programas\DAP\DAP.EXE" [2009-09-02 2749952]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 114688]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"JMB36X Configure"="c:\windows\system32\JMRaidTool.exe" [2006-07-12 372736]

"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 82432]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-11-03 7700480]

"nwiz"="nwiz.exe" [2006-11-03 1642496]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-11-03 86016]

"SunJavaUpdateSched"="c:\arquivos de programas\Java\jre6\bin\jusched.exe" [2009-02-27 136600]

"SoundMAXPnP"="c:\arquivos de programas\Analog Devices\Core\smax4pnp.exe" [2005-05-20 946176]

"NeroFilterCheck"="c:\arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe" [2006-01-12 176128]

"QuickTime Task"="c:\arquivos de programas\QuickTime\QTTask.exe" [2009-11-11 438272]

"Corel Photo Downloader"="c:\arquivos de programas\Corel\Corel MediaOne\Corel Photo Downloader.exe" [2007-08-17 483144]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

 

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\

Service Manager.lnk - c:\arquivos de programas\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2009-12-16 90112]

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\uTorrent\\uTorrent.exe"=

"c:\\Arquivos de programas\\Aspyr\\Guitar Hero III\\GH3.exe"=

"c:\\Arquivos de programas\\AnalogX\\PortBlocker\\pblock.exe"=

"c:\\Arquivos de programas\\Tibia\\Tibia.exe"=

"c:\\Arquivos de programas\\EA GAMES\\Battlefield 1942\\BF1942.exe"=

"c:\\Arquivos de programas\\Ventrilo\\Ventrilo.exe"=

"d:\\MuServer\\JoinServerComAutoDC\\JoinServer.exe"=

"d:\\MuServer\\DataServer1\\Dataserver.exe"=

"d:\\MuServer\\DataServer2\\Dataserver.exe"=

"d:\\MuServer\\bin\\exdb.exe"=

"d:\\MuServer\\bin\\chat.exe"=

"d:\\MuServer\\bin\\event.exe"=

"d:\\MuServer\\bin\\ranking.exe"=

"d:\\MuServer\\GameServer\\GameServer.exe"=

"d:\\MuServer\\GameServer_CS\\GameServer_CS.exe"=

"c:\\Arquivos de programas\\PortBlock\\pblock.exe"=

"c:\\Arquivos de programas\\PBlock\\pblock.exe"=

"d:\\MuServer\\MuServer\\JoinServerComAutoDC\\JoinServer.exe"=

"d:\\MuServer\\MuServer\\DataServer1\\Dataserver.exe"=

"d:\\MuServer\\MuServer\\DataServer2\\Dataserver.exe"=

"d:\\MuServer\\MuServer\\bin\\chat.exe"=

"d:\\MuServer\\MuServer\\bin\\exdb.exe"=

"d:\\MuServer\\MuServer\\bin\\event.exe"=

"d:\\MuServer\\MuServer\\bin\\ranking.exe"=

"d:\\MuServer\\MuServer\\GameServer\\GameServer.exe"=

"d:\\MuServer\\MuServer\\GameServer_CS\\GameServer_CS.exe"=

"c:\\Arquivos de programas\\TeamViewer\\Version5\\TeamViewer.exe"=

"d:\\MuServer\\bin\\joinserver.exe"=

"d:\\MuServer\\ConnectServer\\ConnectServer.exe"=

"c:\\Arquivos de programas\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Documents and Settings\\Dani\\Desktop\\muproxy\\MuProxy.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"44405:TCP"= 44405:TCP:44405

"44405:UDP"= 44405:UDP:44405

"8090:TCP"= 8090:TCP:8090

"8090:UDP"= 8090:UDP:8090

"25:TCP"= 25:TCP:*:Disabled:25

"110:TCP"= 110:TCP:*:Disabled:110

"113:TCP"= 113:TCP:*:Disabled:113

"119:TCP"= 119:TCP:*:Disabled:119

"135:TCP"= 135:TCP:*:Disabled:135

"3128:TCP"= 3128:TCP:*:Disabled:3128

"6588:TCP"= 6588:TCP:*:Disabled:6588

"44440:TCP"= 44440:TCP:*:Disabled:44440

"44441:TCP"= 44441:TCP:*:Disabled:44441

"44442:TCP"= 44442:TCP:*:Disabled:44442

"55560:TCP"= 55560:TCP:*:Disabled:55560

"55960:TCP"= 55960:TCP:*:Disabled:55960

"55961:TCP"= 55961:TCP:*:Disabled:55961

"55962:TCP"= 55962:TCP:*:Disabled:55962

"55963:TCP"= 55963:TCP:*:Disabled:55963

"55964:TCP"= 55964:TCP:*:Disabled:55964

"55966:TCP"= 55966:TCP:*:Disabled:55966

"55970:TCP"= 55970:TCP:*:Disabled:55970

 

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [31/3/2009 10:11 721904]

R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [27/2/2009 11:40 11264]

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2/6/2009 23:32 54752]

S2 gupdate1c99a88363f6988;Google Update Service (gupdate1c99a88363f6988);c:\arquivos de programas\Google\Update\GoogleUpdate.exe [1/3/2009 13:10 133104]

S3 BuddyCentralService;Buddy Central Service 2;c:\gbwc server\BuddyCenter\BuddyCenter2.exe --> c:\gbwc server\BuddyCenter\BuddyCenter2.exe [?]

S3 BuddyService;Buddy Service 2;c:\gbwc server\BuddyServ\BuddyServ2.exe --> c:\gbwc server\BuddyServ\BuddyServ2.exe [?]

S3 fsssvc;Serviço Windows Live Proteção para a Família;c:\arquivos de programas\Windows Live\Family Safety\fsssvc.exe [5/8/2009 22:48 704864]

S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\winxp\CONFIG~1\Temp\LUO826.tmp --> c:\docume~1\winxp\CONFIG~1\Temp\LUO826.tmp [?]

S3 LLRING0;LLRING0;\??\c:\arquivos de programas\Mu ES\iGNis MuOnline\MuGuard\llck1.sys --> c:\arquivos de programas\Mu ES\iGNis MuOnline\MuGuard\llck1.sys [?]

S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

S3 PAC7311;VGA SoC PC-Camer@;c:\windows\system32\drivers\PA707UCM.SYS [16/2/2005 09:15 144768]

S3 XDva279;XDva279;\??\c:\windows\system32\XDva279.sys --> c:\windows\system32\XDva279.sys [?]

.

Conteúdo da pasta 'Tarefas Agendadas'

 

2010-03-01 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\arquivos de programas\Apple Software Update\SoftwareUpdate.exe [2008-07-30 14:34]

 

2010-03-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2009-03-01 16:10]

 

2010-03-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2009-03-01 16:10]

.

.

------- Scan Suplementar -------

.

uStart Page = hxxp://search.speedbit.com/

uInternet Connection Wizard,ShellNext = iexplore

IE: &Clean Traces - c:\arquivos de programas\DAP\Privacy Package\dapcleanerie.htm

IE: &Download with &DAP - c:\arquivos de programas\DAP\dapextie.htm

IE: Download &all with DAP - c:\arquivos de programas\DAP\dapextie2.htm

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

TCP: {668F7278-5AE7-4C18-A5A5-0C17F9E8E7E0} = 208.67.222.222,208.67.220.220

FF - ProfilePath - c:\documents and settings\winxp\Dados de aplicativos\Mozilla\Firefox\Profiles\9yt57all.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2370724&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.startup.homepage - www.google.com

FF - component: c:\arquivos de programas\DAP\DAPFireFox\components\DAPFireFox.dll

FF - component: c:\documents and settings\winxp\Dados de aplicativos\Mozilla\Firefox\Profiles\9yt57all.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll

FF - plugin: c:\arquivos de programas\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\arquivos de programas\Google\Update\1.2.183.17\npGoogleOneClick8.dll

FF - plugin: c:\arquivos de programas\WEBZEN\WebzenGameStarter\NPGameWebStarter.dll

FF - plugin: c:\arquivos de programas\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: c:\documents and settings\winxp\Dados de aplicativos\Mozilla\Firefox\Profiles\9yt57all.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll

 

---- FIREFOX POLICIES ----

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

.

- - - - ORFÃOS REMOVIDOS - - - -

 

URLSearchHooks-{511131f1-4629-4254-a85f-ed7b6d75dd3c} - c:\arquivos de programas\Alawar.com\tbAla1.dll

BHO-{511131f1-4629-4254-a85f-ed7b6d75dd3c} - c:\arquivos de programas\Alawar.com\tbAla1.dll

Toolbar-{511131f1-4629-4254-a85f-ed7b6d75dd3c} - c:\arquivos de programas\Alawar.com\tbAla1.dll

WebBrowser-{511131F1-4629-4254-A85F-ED7B6D75DD3C} - c:\arquivos de programas\Alawar.com\tbAla1.dll

HKCU-Run-PlayNC Launcher - (no file)

HKLM-Run-msnmsrg - c:\windows\System\svchosl.exe

AddRemove-Alawar.com Toolbar - c:\arquiv~1\Alawar.com\UNWISE.EXE

AddRemove-HijackThis - c:\documents and settings\winxp\Desktop\HijackThis.exe

 

 

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-04 00:16

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

 

**************************************************************************

 

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

 

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys JGOGO.sys >>UNKNOWN [0x89BE31F8]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xba8fcfc3

\Driver\ACPI -> ACPI.sys @ 0xba666cb8

\Driver\atapi -> 0x89c531f8

IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058241c

ParseProcedure -> ntkrnlpa.exe @ 0x8058155c

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058241c

ParseProcedure -> ntkrnlpa.exe @ 0x8058155c

NDIS: Realtek RTL8169/8110 Family Gigabit Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xba517ba0

PacketIndicateHandler -> NDIS.sys @ 0xba524b21

SendHandler -> NDIS.sys @ 0xba50287b

Warning: possible MBR rootkit infection !

user & kernel MBR OK

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]

"ImagePath"="\??\c:\docume~1\winxp\CONFIG~1\Temp\LUO826.tmp"

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]

"ImagePath"="c:\windows\system32\GameMon.des -service"

.

--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ð•€|ÿÿÿÿ.•€|þ»Òw*]

"6140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

 

- - - - - - - > 'explorer.exe'(1008)

c:\windows\system32\msi.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Outros Processos em Execução ------------------------

.

c:\appserv\Apache\Apache.exe

c:\arquivos de programas\Java\jre6\bin\jqs.exe

c:\arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\appserv\Apache\Apache.exe

c:\arquiv~1\MI6841~1\MSSQL\binn\sqlservr.exe

c:\appserv\mysql\bin\mysqld-nt.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\PnkBstrA.exe

c:\windows\system32\PSIService.exe

c:\windows\System32\PAStiSvc.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\wbem\wmiapsrv.exe

.

**************************************************************************

.

Tempo para conclusão: 2010-03-04 00:20:31 - Máquina reiniciou

ComboFix-quarantined-files.txt 2010-03-04 03:20

 

Pré-execução: 21 pasta(s) 13.190.348.800 bytes disponíveis

Pós execução: 23 pasta(s) 13.104.148.480 bytes disponíveis

 

WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

 

- - End Of File - - B7486EBE13AA9E81616BE4D777F958E3

[wings 22]

*Envie o arquivo abaixo para análise em http://virscan.org

 

c:\windows\system32\69482C521C.sys

*Cole o link contendo o resultado da análise.

[Igor Barbosa 0]

http://virscan.org/report/8d88a27d04197b36a1b3dbefa1c2921b.html

 

 

Resultado da Verificação : Todos os softwares reportaram que não encontraram códigos maliciosos!

[wings 22]

OK...

 

*Baixe o SystemLook e salve-o no desktop

*Selecione e copie (Ctrl+c) o código abaixo:

 

:dir

c:\windows\Nova pasta

C:\mubrb

*Duplo clique em SystemLook.exe

*Cole (Ctrl+v) o código no espaço em branco

*Clique em [Look]

*Cole o relatório apresentado em SystemLook.txt localizado no desktop

[Igor Barbosa 0]

esse mubrb é um jogo...

 

 

SystemLook v1.0 by jpshortstuff (11.01.10)

Log created at 13:00 on 04/03/2010 by winxp (Administrator - Elevation successful)

 

========== dir ==========

 

c:\windows\Nova pasta - Parameters: "(none)"

 

---Files---

None found.

 

---Folders---

None found.

 

C:\mubrb - Parameters: "(none)"

 

---Files---

AutoUpdate.exe --a--- 45056 bytes [20:43 28/02/2010] [23:15 24/02/2010]

BrB Mu Windows Mode Off.reg --a--- 118 bytes [20:43 28/02/2010] [20:16 23/01/2010]

BrB Mu Windows Mode On.reg --a--- 118 bytes [20:43 28/02/2010] [20:14 23/01/2010]

config.ini --a--- 47 bytes [20:43 28/02/2010] [01:04 09/04/2008]

Cópia de Mu.dll --a--- 53248 bytes [20:58 28/02/2010] [13:30 17/01/2009]

Cópia de mu.exe --a--- 802816 bytes [20:58 28/02/2010] [14:34 04/07/2007]

Dec1.dat --a--- 54 bytes [20:45 28/02/2010] [14:51 02/03/2010]

Dec1.zip --a--- 606 bytes [15:07 02/03/2010] [15:07 02/03/2010]

Dec2.dat --a--- 54 bytes [20:45 28/02/2010] [14:51 02/03/2010]

Enc1.dat --a--- 54 bytes [20:45 28/02/2010] [14:51 02/03/2010]

Enc2.dat --a--- 54 bytes [20:45 28/02/2010] [14:51 02/03/2010]

GameGuard.des --a--- 276673 bytes [20:44 28/02/2010] [20:03 03/03/2008]

hook.dll --a--- 49152 bytes [20:44 28/02/2010] [16:18 16/09/2006]

main.exe --a--- 4109824 bytes [20:44 28/02/2010] [18:41 26/02/2010]

Main.zip --a--- 1525180 bytes [06:18 02/03/2010] [06:18 02/03/2010]

message.wtf --a--- 1706 bytes [20:44 28/02/2010] [00:50 22/01/2010]

MFSvc2.dll --a--- 122940 bytes [20:44 28/02/2010] [19:24 26/08/2003]

MuEng.ini --a--- 307 bytes [20:44 28/02/2010] [20:25 03/03/2008]

MuError.dmp --a--- 20890 bytes [03:50 02/03/2010] [02:57 04/03/2010]

MuError.log --a--- 9331 bytes [20:44 28/02/2010] [14:38 04/03/2010]

MuEULA.txt --a--- 14756 bytes [20:44 28/02/2010] [14:13 15/09/2006]

mumsg.dll --a--- 49152 bytes [20:44 28/02/2010] [01:15 08/10/2001]

ogg.dll --a--- 53248 bytes [20:44 28/02/2010] [13:34 14/05/2004]

Play BrB Mu Online.exe.lnk --a--- 879 bytes [20:53 28/02/2010] [01:06 25/02/2010]

READ ME FIRST.txt --a--- 1335 bytes [20:44 28/02/2010] [01:51 25/02/2010]

Screen(03_02-02_40)-0000.jpg --a--- 467021 bytes [05:40 02/03/2010] [05:40 02/03/2010]

Screen(03_02-02_45)-0001.jpg --a--- 494645 bytes [05:45 02/03/2010] [05:45 02/03/2010]

Screen(03_02-13_08)-0000.jpg --a--- 681129 bytes [16:08 02/03/2010] [16:08 02/03/2010]

settings.ini --a--- 66 bytes [20:44 28/02/2010] [10:40 04/12/2009]

vorbisfile.dll --a--- 999424 bytes [20:44 28/02/2010] [13:34 14/05/2004]

windowsmode.exe --a--- 61440 bytes [20:44 28/02/2010] [16:18 16/09/2006]

wsctlc.dll --a--- 45056 bytes [20:44 28/02/2010] [10:37 24/08/2001]

wsctlcd.dll --a--- 229432 bytes [20:44 28/02/2010] [05:55 15/09/2000]

wzAudio.dll --a--- 212992 bytes [20:44 28/02/2010] [13:34 14/05/2004]

wz_zp.dll --a--- 381010 bytes [20:44 28/02/2010] [14:34 10/09/2002]

 

---Folders---

data d----- [20:43 28/02/2010]

GameGuard d----- [20:44 28/02/2010]

Temp d----- [20:45 28/02/2010]

Νέος φάκελος (6) d----- [20:53 28/02/2010]

 

-=End Of File=-

[wings 22]

1.

*Delete o SystemLook e seu relatório

 

2.

*Novo log do hijack

[Igor Barbosa 0]

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:23:08, on 4/3/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16850)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\ARQUIV~1\MI6841~1\MSSQL\binn\sqlservr.exe

C:\Arquivos de programas\Java\jre6\bin\jusched.exe

C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe

C:\Arquivos de programas\Corel\Corel MediaOne\Corel Photo Downloader.exe

C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe

C:\Arquivos de programas\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\AppServ\mysql\bin\mysqld-nt.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PSIService.exe

C:\WINDOWS\System32\PAStiSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\explorer.exe

C:\Hijack\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.speedbit.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: (no name) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - (no file)

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre6\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [soundMAXPnP] C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Arquivos de programas\Corel\Corel MediaOne\Corel Photo Downloader.exe" -startup

O4 - HKCU\..\Run: [DownloadAccelerator] "C:\Arquivos de programas\DAP\DAP.EXE" /STARTUP

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Service Manager.lnk = C:\Arquivos de programas\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O8 - Extra context menu item: &Clean Traces - C:\Arquivos de programas\DAP\Privacy Package\dapcleanerie.htm

O8 - Extra context menu item: &Download with &DAP - C:\Arquivos de programas\DAP\dapextie.htm

O8 - Extra context menu item: Download &all with DAP - C:\Arquivos de programas\DAP\dapextie2.htm

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Incluir no Blog - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Incluir no Blog no Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Arquivos de programas\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{668F7278-5AE7-4C18-A5A5-0C17F9E8E7E0}: NameServer = 208.67.222.222,208.67.220.220

O17 - HKLM\System\CS1\Services\Tcpip\..\{668F7278-5AE7-4C18-A5A5-0C17F9E8E7E0}: NameServer = 208.67.222.222,208.67.220.220

O17 - HKLM\System\CS2\Services\Tcpip\..\{668F7278-5AE7-4C18-A5A5-0C17F9E8E7E0}: NameServer = 208.67.222.222,208.67.220.220

O23 - Service: Apache - Unknown owner - C:\AppServ\Apache\Apache.exe

O23 - Service: Buddy Central Service 2 (BuddyCentralService) - Unknown owner - C:\GBWC Server\BuddyCenter\BuddyCenter2.exe (file missing)

O23 - Service: Buddy Service 2 (BuddyService) - Unknown owner - C:\GBWC Server\BuddyServ\BuddyServ2.exe (file missing)

O23 - Service: GunBoundXPBroker[8372] - Unknown owner - C:\GBWC Server\GunBoundBroker\GunBoundBroker3.exe (file missing)

O23 - Service: GunBoundXPServ[8360] - Unknown owner - C:\GBWC Server\GunBoundServ1\GunBoundServ3.exe (file missing)

O23 - Service: GunBoundXPServ[8361] - Unknown owner - C:\GBWC Server\GunBoundServ2\GunBoundServ3.exe (file missing)

O23 - Service: GunBoundXPServ[8362] - Unknown owner - C:\GBWC Server\GunBoundServ3\GunBoundServ3.exe (file missing)

O23 - Service: GunBoundXPServ[8363] - Unknown owner - C:\Gunbound\Server8363\GunBoundServ3.exe (file missing)

O23 - Service: Google Update Service (gupdate1c99a88363f6988) (gupdate1c99a88363f6988) - Google Inc. - C:\Arquivos de programas\Google\Update\GoogleUpdate.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: MySQL - Unknown owner - C:\AppServ\mysql\bin\mysqld-nt.exe

O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe

 

--

End of file - 8403 bytes

[wings 22]

1.

*Execute o hijack, clique em [Do a system scan only], selecione as entradas abaixo e clique em [Fix checked]

 

O2 - BHO: (no name) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - (no file)

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

*Feche o hijack.

 

2.

*Clique em [iniciar] > [Executar] > digite: Combofix /uninstall

*Clique [OK]

 

 

*Clique em [Executar]

*Aguarde até surgir a mensagem: "ComboFix está desinstalado"

 

*Clique [OK]

 

3.

*Baixe o MBR e salve-o em C:\

*Clique em Iniciar > Executar > copie e cole: c:\mbr.exe -f

*Clique OK. Caso seja perguntado, permita que o programa seja executado. Ele abrirá e fechará rapidamente.

*Duplo clique em C:\mbr.exe

*Cole o relatório criado em C:\MBR.txt

[Igor Barbosa 0]

nao fez nenhum relatorio com MBR.txt

 

crio um mbr.log:

 

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

 

device: opened successfully

user: MBR read successfully

kernel: MBR read successfully

user & kernel MBR OK

[wings 22]

OK..o relatório é este mesmo.

 

Delete os arquivos C:\mbr.exe e C:\mbr.log

 

 

O PC está limpo.... :)

 

 

1.

*Baixe o ATF Cleaner e salve-o no desktop

*Duplo clique em ATF-Cleaner.exe

*Em Main selecione [select all]

*Clique em [Empty Selected]

=>Caso use Firefox ou Opera, também, siga os procedimentos abaixo:

*Em "Firefox" ou em "Opera" clique em [select all] ( se você deseja manter suas passwords clique No, caso contrário clique Yes).

*Clique [Empty Selected] ( se você deseja manter suas passwords clique No, caso contrário clique Yes).

*Clique em [Exit] ou no [X] para sair do programa

 

 

Um abraço.

[Igor Barbosa 0]

vlw demais cara, abração.

[wings 22]

PROBLEMA RESOLVIDO!

 

Caso o autor necessite que o tópico seja reaberto basta enviar uma Mensagem Privada para um Moderador com um link para o tópico.